Bug 2029923 (CVE-2021-4083) - CVE-2021-4083 kernel: fget: check that the fd still exists after getting a ref to it
Summary: CVE-2021-4083 kernel: fget: check that the fd still exists after getting a re...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-4083
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2030416 2030417 2030418 2032299 2032300 2032301 2032302 2032303 2032304 2032305 2032306 2032307 2032308 2032474 2032475 2032476 2032477 2032478 2032479 2032480 2032481 2032489 2032490 2032491 2032492 2032493 2032494 2032495 2032496 2032815 2032816 2056596
Blocks: 2029320 2032781
TreeView+ depends on / blocked
 
Reported: 2021-12-07 15:07 UTC by Alex
Modified: 2023-07-11 11:29 UTC (History)
59 users (show)

Fixed In Version: kernel 5.16-rc4
Doc Type: If docs needed, set a value
Doc Text:
A read-after-free memory flaw was found in the Linux kernel's garbage collection for Unix domain socket file handlers in the way users call close() and fget() simultaneously and can potentially trigger a race condition. This flaw allows a local user to crash the system or escalate their privileges on the system.
Clone Of:
Environment:
Last Closed: 2022-06-03 17:12:52 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:1261 0 None None None 2022-04-06 18:40:47 UTC
Red Hat Product Errata RHBA-2022:1282 0 None None None 2022-04-08 13:26:45 UTC
Red Hat Product Errata RHBA-2022:1317 0 None None None 2022-04-12 11:21:16 UTC
Red Hat Product Errata RHBA-2022:1533 0 None None None 2022-04-25 20:01:56 UTC
Red Hat Product Errata RHBA-2022:2229 0 None None None 2022-05-12 11:26:59 UTC
Red Hat Product Errata RHBA-2022:4630 0 None None None 2022-05-18 11:46:45 UTC
Red Hat Product Errata RHBA-2022:4693 0 None None None 2022-05-19 05:11:12 UTC
Red Hat Product Errata RHBA-2022:4969 0 None None None 2022-06-08 18:40:19 UTC
Red Hat Product Errata RHBA-2022:5088 0 None None None 2022-06-16 11:23:38 UTC
Red Hat Product Errata RHSA-2022:0820 0 None None None 2022-03-10 15:54:23 UTC
Red Hat Product Errata RHSA-2022:0821 0 None None None 2022-03-10 15:13:14 UTC
Red Hat Product Errata RHSA-2022:0823 0 None None None 2022-03-10 15:31:35 UTC
Red Hat Product Errata RHSA-2022:0851 0 None None None 2022-03-14 10:19:12 UTC
Red Hat Product Errata RHSA-2022:0925 0 None None None 2022-03-15 13:36:42 UTC
Red Hat Product Errata RHSA-2022:0958 0 None None None 2022-03-17 16:28:05 UTC
Red Hat Product Errata RHSA-2022:1103 0 None None None 2022-03-29 09:07:17 UTC
Red Hat Product Errata RHSA-2022:1104 0 None None None 2022-03-29 08:50:49 UTC
Red Hat Product Errata RHSA-2022:1107 0 None None None 2022-03-29 09:54:45 UTC
Red Hat Product Errata RHSA-2022:1185 0 None None None 2022-04-05 08:47:52 UTC
Red Hat Product Errata RHSA-2022:1198 0 None None None 2022-04-05 17:16:11 UTC
Red Hat Product Errata RHSA-2022:1199 0 None None None 2022-04-05 17:16:49 UTC
Red Hat Product Errata RHSA-2022:1263 0 None None None 2022-04-07 09:03:01 UTC
Red Hat Product Errata RHSA-2022:1324 0 None None None 2022-04-12 15:37:12 UTC
Red Hat Product Errata RHSA-2022:1373 0 None None None 2022-04-13 19:58:43 UTC
Red Hat Product Errata RHSA-2022:1413 0 None None None 2022-04-19 15:05:12 UTC
Red Hat Product Errata RHSA-2022:1418 0 None None None 2022-04-19 16:19:01 UTC
Red Hat Product Errata RHSA-2022:1455 0 None None None 2022-04-20 16:20:38 UTC
Red Hat Product Errata RHSA-2022:1975 0 None None None 2022-05-10 14:40:30 UTC
Red Hat Product Errata RHSA-2022:1988 0 None None None 2022-05-10 14:46:29 UTC
Red Hat Product Errata RHSA-2022:2189 0 None None None 2022-05-11 13:21:06 UTC
Red Hat Product Errata RHSA-2022:4896 0 None None None 2022-06-03 13:48:32 UTC

Description Alex 2021-12-07 15:07:54 UTC 
Another possible race with Unix domain socket garbage collection that can lead to read memory after free.
Older more or less similar issue is the CVE-2021-0920 with the fix commit cbcf01128d0a ("af_unix: fix garbage collect vs MSG_PEEK").
This race happens if the file handler in the process of being closed, the close() could happen before fget(), and then garbage collector can get confused by seeing this situation of having seen a file not having any remaining external references and then seeing it being attached to an fd.

Reference and upstream patch:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=054aa8d439b9
Comment 13 Sandro Bonazzola 2022-02-21 14:49:13 UTC 
Created oVirt tracking bug for this issue:

Affects: oVirt Node 4.4 [ #2056596 ]
Comment 14 errata-xmlrpc 2022-03-10 15:13:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0821 https://access.redhat.com/errata/RHSA-2022:0821
Comment 15 errata-xmlrpc 2022-03-10 15:31:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:0823 https://access.redhat.com/errata/RHSA-2022:0823
Comment 16 errata-xmlrpc 2022-03-10 15:54:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0820 https://access.redhat.com/errata/RHSA-2022:0820
Comment 17 errata-xmlrpc 2022-03-14 10:19:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:0851 https://access.redhat.com/errata/RHSA-2022:0851
Comment 18 errata-xmlrpc 2022-03-15 13:36:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0925 https://access.redhat.com/errata/RHSA-2022:0925
Comment 19 errata-xmlrpc 2022-03-17 16:28:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:0958 https://access.redhat.com/errata/RHSA-2022:0958
Comment 20 errata-xmlrpc 2022-03-29 08:50:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support

Via RHSA-2022:1104 https://access.redhat.com/errata/RHSA-2022:1104
Comment 21 errata-xmlrpc 2022-03-29 09:07:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions

Via RHSA-2022:1103 https://access.redhat.com/errata/RHSA-2022:1103
Comment 22 errata-xmlrpc 2022-03-29 09:54:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Advanced Update Support
  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.6 Telco Extended Update Support

Via RHSA-2022:1107 https://access.redhat.com/errata/RHSA-2022:1107
Comment 24 errata-xmlrpc 2022-04-05 08:47:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:1185 https://access.redhat.com/errata/RHSA-2022:1185
Comment 25 errata-xmlrpc 2022-04-05 17:16:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:1198 https://access.redhat.com/errata/RHSA-2022:1198
Comment 26 errata-xmlrpc 2022-04-05 17:16:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:1199 https://access.redhat.com/errata/RHSA-2022:1199
Comment 27 errata-xmlrpc 2022-04-07 09:02:56 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2022:1263 https://access.redhat.com/errata/RHSA-2022:1263
Comment 28 errata-xmlrpc 2022-04-12 15:37:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support
  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.7 Telco Extended Update Support

Via RHSA-2022:1324 https://access.redhat.com/errata/RHSA-2022:1324
Comment 29 errata-xmlrpc 2022-04-13 19:58:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions

Via RHSA-2022:1373 https://access.redhat.com/errata/RHSA-2022:1373
Comment 30 errata-xmlrpc 2022-04-19 15:05:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:1413 https://access.redhat.com/errata/RHSA-2022:1413
Comment 31 errata-xmlrpc 2022-04-19 16:18:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:1418 https://access.redhat.com/errata/RHSA-2022:1418
Comment 32 errata-xmlrpc 2022-04-20 16:20:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:1455 https://access.redhat.com/errata/RHSA-2022:1455
Comment 33 errata-xmlrpc 2022-05-10 14:40:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1975 https://access.redhat.com/errata/RHSA-2022:1975
Comment 34 errata-xmlrpc 2022-05-10 14:46:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1988 https://access.redhat.com/errata/RHSA-2022:1988
Comment 35 errata-xmlrpc 2022-05-11 13:21:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support

Via RHSA-2022:2189 https://access.redhat.com/errata/RHSA-2022:2189
Comment 36 errata-xmlrpc 2022-06-03 13:48:28 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2022:4896 https://access.redhat.com/errata/RHSA-2022:4896
Comment 37 Product Security DevOps Team 2022-06-03 17:12:48 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-4083
Note You need to log in before you can comment on or make changes to this bug.